Skip to content

cpeggg/Netgear-upnpd-poc

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

Netgear-upnpd-poc

Netgear upnpd request process stack overflow.

Any user can get remote code execution through LAN, this vulnerability currently affects latest R、RAX、XR series, including R6400v2(V1.0.4.102_10.0.75), R6400(V1.0.1.62_1.0.41), R7000P(V1.3.2.126_10.1.66), XR300(V1.0.3.50_10.3.36), R8000(V1.0.4.62), R8300(V1.0.2.136), R8500(V1.0.2.136), R7300DST(V1.0.0.74), R7850(V1.0.5.64), R7900(V1.0.4.30), R8000(V1.0.4.62), R8300(V1.0.2.136), R8500(V1.0.2.136), RAX20(V1.0.2.64), RAX80(V1.0.3.102), R6250(V1.0.4.44), we believe there are much more models suffered from this vuln.

Vulnerability description

This vulnerability happen when upnpd receive and process specific message and copy the user data the stack buffer, attackers can exploit this to get remote code execution.

Poc

Refer to this video: pov.mkv

Timeline

2020.11.9 report to CVE and Netgear

CVE ID

CVE-2020-28373

Acknowledgment

Credit to @peanuts, @leonW7 and @cpegg from Technology Research Institute of Legendsec at Qi'anxin Group.

About

Netgear upnpd ssdp request process stack overflow poc

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published